online doxxing (post-event triage) — methodology

safety and preservation — before any of the path

doxxing cases often sit inside domestic violence, workplace retaliation, fandom harassment, or post-breakup escalation. if you are supporting someone whose PII just went public, start with safety planning and advocate intake — not OSINT scraping. this guide documents evidence preservation only; it is not counseling, advocacy, or legal advice. US crisis lines: 988 (suicide & crisis lifeline) · 1-800-799-7233 (national DV hotline). this case type is narrower than cyberstalking methodology: the PII is already published; the immediate question is exposure scope and takedown, not whether harassment is escalating toward doxing.

1. is the victim physically safe right now? published home addresses and workplace details can precede swatting or in-person contact — treat location leaks as safety data, not puzzle pieces.
2. will screenshotting posts, requesting platform data, or visiting paste URLs notify the actor or trigger counter-dox? shared devices and login-alert emails can tip them off.
3. does the victim want a forensic record, platform takedowns, police involvement, or all three? each path has different risk — an advocate should help choose order, not a well-meaning friend with a CSV tool.
4. preserve without confronting. do not message the poster, do not post "we know it's you," do not threaten legal action until safety planning says it is safe. public confrontation often accelerates republishing.
5. document consent if you are not the victim — verbal permission is not enough for advocates and counsel. note who pulled what export, when, and from which account.
6. work on a workstation and accounts the harasser does not control. if the victim must keep using a compromised login, assume abuse tickets and login history are visible to the actor.
7. if the victim needs to disappear from the harasser's view: safety reset (new accounts, address confidentiality programs, credit freezes) may be correct even when it destroys some evidence. respect that call.

what evidence exists and how fast it dies

the first 10 minutes

1. confirm the victim is safe and wants evidence preserved — if not, stop here and connect them to an advocate (988 · 1-800-799-7233).
2. record UTC timestamps for when the dox was first seen, first republish, and any escalation (swatting threat, in-person contact attempt).
3. screenshot or archive every live post and paste-site page with visible URL, account handle, and UTC clock — do not rely on memory after takedown.
4. list every piece of PII exposed (address, phone, employer, family names, photos) in a plain text index — this drives safety planning before OSINT.
5. copy shortened links from posts into a file and resolve redirect chains before they expire — save the full URL chain, not just the social post.
6. pull any social exports, threat DMs, and abuse-report confirmations the victim can legally provide; hash every file sha-256 before editing.
7. list paste-site and mirror domains in a plain text file — include full URL, first-seen date, and how the victim encountered them.
8. run the doxxing victim investigation kit on collected exports to score exposure severity and flag critical findings.
9. do not confront the poster, do not post public accusations, do not visit paste URLs from accounts the actor may monitor.
10. begin the path below on copies — not on live accounts while the harasser still has shared-login access.

the path

online doxxing evidence arrives as published posts, paste-site archives, OSINT scrapes, and platform exports — not a disk image. run steps 1–4 to scope exposure and build identity clusters; steps 5–7 on infrastructure and republish chains; step 8 only when AI chat exports exist in the case file.

1. 1. doxxing victim investigation kit

   social post exports, PII exposure logs, threat messages, and screenshot evidence dropped together. builds a victim safety report with severity-tagged findings, entity rows, and a scored exposure assessment — the intake layer before deep OSINT work.why first: the victim's PII is already public. before you chase the author, scope what leaked, where it republished, and what safety actions are urgent. this kit orients advocates on exposure severity, not attribution vanity.

2. 2. osint normalizer

   raw OSINT scrape dumps — handles, emails, phones, IPs, domains in mixed column names and formats. canonicalizes fields, deduplicates noise, and emits rows the resolver and graph tools can ingest without hand-editing.why second: doxxing investigations paste scrapes from paste sites, people-search mirrors, and platform exports with five different schemas. normalizing early prevents the same phone appearing as +1-503-555-0142 in one dump and 5035550142 in another from splitting into false separate entities.

3. 3. multi-source entity resolver

   reddit CSV, forum CSV, OSINT scrape text, abuse-report exports, and harassment activity logs. merges handles, emails, IPs, and display names into candidate identity clusters — the author account, republish bots, and mirror operators.why third: dox campaigns use throwaway accounts per platform. one handle per site is often a decoy. entity resolution gives you a working set of aliases before you build a graph or file platform abuse tickets.

4. 4. investigation knowledge graph builder

   normalized entity rows plus activity CSV (user → host → IP edges). renders linked nodes for paste-site hosts, republish mirrors, author personas, and infrastructure hops — the shape of the exposure chain.why fourth: once entities are resolved, you need to see how the dox spread — which host served the archive, which mirror reposted six hours later, which alias posted the original thread. flat spreadsheets hide the republish pivot points.

5. 5. domain reputation analyzer

   paste-site domains, dox-archive hosts, and lookalike URLs from the exposure chain. flags registration age, TLD risk, homoglyph patterns, and parking indicators for registrar abuse reports and takedown packages.why fifth: paste sites and cheap TLD archives are the persistence layer. domain reputation ties infrastructure to the campaign for abuse tickets — many republish chains live on domains that suspend fast if packaged cleanly.

6. 6. ioc extractor

   dox post text, screenshot OCR exports, platform abuse correspondence, and archived HTML. pulls IPs, domains, URLs, emails, and wallet strings into structured IOC rows for graph import and takedown index files.why sixth: victims archive posts as screenshots and copy-paste threads. ioc extraction turns unstructured evidence into a searchable list before URLs rot and paste sites rotate domains.

7. 7. url redirect chain tracer

   shortened links embedded in dox posts, republish threads, and harassment DMs. resolves redirect hops offline from captured chain JSON — surfaces the terminal paste-site or mirror host behind t.co, bit.ly, and platform-native shorteners.why seventh: actors hide paste-site URLs behind shorteners to evade automated takedown and platform link filters. the redirect chain is often the only stable path from a social post to the hosting infrastructure.

8. 8. ai chatbot multi-account correlation analyzer

   ChatGPT and Claude conversation exports (JSON). surfaces shared burner emails, device fingerprints, session IDs, and prompt themes that tie dox drafts across platforms — pre-publication intent before the paste went live.why last: not every dox case includes AI chat evidence, but when it does, the burner email in a Claude export is often the earliest stable identifier. run this after the exposure chain is scoped so you compare the right upstream sessions.

cross-correlation

after the path, drop every csv/json export into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted view across original post, republish mirror, redirect resolution, and AI chat session — the republish pivot should sit next to the paste-site domain row, not in separate spreadsheets. then run domains, handles, and extracted IOC hashes through fatcousin-cross-export-ioc-hash-correlator to catch the same alias in entity resolver output and ioc extractor rows before advocate takedown packages go out. still zero upload.

reference investigation